https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49905
Martin Sebor <msebor at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Last reconfirmed| |2016-05-02 CC| |msebor at gcc dot gnu.org Ever confirmed|0 |1 Known to fail| |5.3.0, 6.0 --- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> --- 5.1 and 6.1 warn on the first six out of the ten buffer overflows, and on Linux the program aborts at runtime in __sprintf_chk. GCC still doesn't diagnose any of the last four problems at compile time (e.g., in 'char buf [4]; sprintf (buf, "%s %s", "abc", "def");') It seems that this class of problems could be handled by enhancing maybe_emit_sprintf_chk_warning to loop over the format string, recognize more involved format strings with embedded %s (and other simple directives), and count the number of characters they emit for constant arguments. For slightly better compile-time coverage the approach could even assume that simple non-string directives like %i result in at least one character and compute an optimistic lower bound on the length of the formatted string.